Those who don't understand UNIX are condemned to reinvent it, poorly.

Main menu

Post navigation

Monitoring software updates on CentOS – but not security updates

You might already know the yum plugins – there is a plugin that enables “downloadonly” fetching of patches before the update, or another prominent one that checks all updates whether they are security related.

Some people even have built cool Nagios checks for report the updates[*], but none of them seem to actually check if yum really reports a security update as a security update. Since I had been testing most of those plugins I had been really wary about the results. For example last year there was almost half a year delay in the CentOS updates, surely there would have to be a security update in those. But none were reported. Over the last weeks there was a few critical updates on Linux, giving a good time to test – again. The result was…

For the last time guys:

Using the yum security plugin and CentOS DO NOT COMPUTE!

The CentOS team is not adding the CVE data the plugin wants to read. Yes it will tell you “no security updates” but it is WRONG, the plugin does not handle missing security data and gives false results. GET it in your heads.

Summary:

Please, don’t rely on yum security on CentOS, either manually verify your updates or chose a distro where the repo data is “spiced” with the security update data and all packages are correctly referencing the CVE Ids they’re fixing.

Also, afaik none of these RH-based distros will warn you based on a security hole alone. They’ll just warn you once there is a fix for an issue.